According to a new report from the Chicago-based research arm of the Healthcare Information Management and Systems Society (HIMSS), HIMSS Analytics, a focus on the regulations and guidelines governing data security in the healthcare are not resulting in increased security. The study, called The 2012 HIMSS Analytics Report: Security of Patient Data, says there is a rise in data breaches over the last six years even with tight regulatory activity and compliance surrounding reporting and auditing procedures.
The report indicated more healthcare industry professionals are more prepared than ever to confront the data security risks, giving themselves a 6.40 rating on a scale of one to seven (with with 1 being "not at all prepared" and seven being "extremely prepared"), as compared to 6.06 in 2010 and 5.88 in 2008. Yet despite this, a growing 27 percent of respondents reported a security breach during that same time period (up from 19 percent in 2010 and 13 percent in 2008). Furthermore, 69 percent experienced more than one - indicating that increased preparedness is not synonymous with increased security.
According to the report, human error remains the greatest threat to healthcare data security. In 2012, 79 percent of respondents reported that a security breach was perpetrated by an employee. Fifty-six (56) percent of respondents indicated that the source of a reported breach was unauthorized access to information by an individual employed by the organization at the time of the breach.
Mobility is also a cause of increased data breaches, according to the report. Thirty-one (31) percent of respondents indicated that information available on a portable device was among the factors most likely to cause a breach (up from 20 percent in 2010 and four percent in 2008). Also, theexpectations of third party data security practices are not keeping pace with the increased outsourcing of patient data, the report says. Essentially, third party breaches are on the rise.
The study cited 18 percent of respondents that experienced a breach in the past 12 months cited third parties as the root cause. Twenty-eight (28) percent of respondents indicated that "sharing information with external parties" is the top item that put patient data at risk (up from 18 percent in 2010 and 6 percent in 2008).
"Healthcare organizations need to ensure that their business associates are taking every precaution to safeguard this information. We know that most security breaches often are the result of actions taken by employees, so background checks, employee training and continued monitoring of policies and procedures are steps all covered entities should ensure are taken by their business associates,” Lisa Gallagher, senior director of privacy and security for the Healthcare Information and Management Systems Society (HIMSS), said in a statement.
There is also a lack of clarity on who is responsible for data security. Respondents said the HIM Director – 21 percent, CIO – 19 percent, Chief Privacy Officer, Chief Compliance Officer, CEO – 12 percent for each title and Chief Security Officer – 10 percent, were responsible – indicating that one set person has not been defined by the industry.
The report was sponsored by Kroll (New York, N.Y.). HIMSS surveyed 250 healthcare industry professionals participated in this research, conducted in December 2011.